Stealthy backdoor used to spy on diplomats across Europe

A new, sophisticated backdoor Trojan has been used to spy on targets in embassies and consulates across Southeastern Europe and former Soviet Union republics.

ESET researchers have analyzed and documented the Trojan, which they dubbed Gazer, and are highly confident that it is being used by the Turla cyberespionage group.

The Gazer backdoor and ties to Turla

The researchers have analyzed different Gazer samples and have identified four versions of the malware. Some of the samples were signed with legitimate certificates.

Gazer shares several similarities with other malware (Carbon, Kazuar) used by the Turla APT: it can receive encrypted tasks from a C&C server, uses an encrypted container to store its components and configuration, and logs its actions into encrypted logfiles.

The malware seems to have been in use since 2016, leveraged in targeted attacks against embassies and consulates (Turla’s usual targets) but this is the first time that the malware has been documented.

Gazer flew under the security’s industry radar for a some time. Part of the reason is that the authors used custom encryption (their own library for 3DES and RSA).

“As usual, the Turla APT group makes an extra effort to avoid detection by wiping files securely, changing the strings and randomizing what could be simple markers through the different backdoor versions. In the most recent version we have found, Gazer authors modified most of the strings and inserted ‘video-game-related’ sentences throughout the code,” they noted.

“The witnessed techniques, tactics and procedures (TTPs) are in-line with what we usually see in Turla’s operation: a first stage backdoor, such as Skipper, likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor, Gazer in this case.”

They have provided technical details, indicators of compromise and Yara rules that can be used to flag known variants of the threat.